403 Forbidden Request -- Puppet Server

I'm having issues expanding a puppet-server deployment beyond ten nodes. Specifically, the issue appears to be authentication related, but I cannot track down what would cause it.

Deployment
I have a puppet-server deployment with an external CA. The master certificate is signed by an intermediate certificate and the agent certificates are signed by another intermediate. Both intermediates are signed by the same root. This is the deployment as described in the Puppet documentation. Additionally, I have a running Puppet DB deploy connected to Puppet.

The Problem
Before the problem started, I had 10 working nodes. I've had no issues with authentication using the external CA (certificates generated using EJBCA). When I attempted to add three additional nodes, each node has the same kind of errors that suggest authentication problems. These errors are 403 errors when running puppet agent -t.

When I disable the authentication on the puppet server in /etc/puppetlabs/puppet/auth.conf, the puppet agent -t command completes successfully. So, this suggests that it is tied to the puppet server authentication.

Because existing nodes were able to authenticate and run successfully, I revoked an existing certificate and generated a new certificate for one of the known working nodes. When running puppet agent -t, the run completes successfully ...(more)

1 Answer

This was caused by a careless mistake. The ssl_client_ca_auth configuration directive was pointing to a non-existent file (it was named incorrectly). Once I discovered that, naming it correctly made the puppet runs complete successfully.